System and method for preventing data loss using virtual machine wrapped applications

ABSTRACT

A method in one example implementation includes selecting at least one criterion for controlling data transmission from within a virtual machine. At least one application is included within the virtual machine, which includes a policy module. The selected criterion corresponds to at least one policy associated with the policy module. The method also includes evaluating the selected criterion of the policy to permit an attempt to transmit the data from within the virtual machine. In more specific embodiments, the policy may include a plurality of criteria with a first selected criterion permitting transmission of the data to a first application and a second selected criterion prohibiting transmission of the data to a second application. In another specific embodiment, the method may include updating the policy module through an administration module to modify the selected criterion.

TECHNICAL FIELD

This disclosure relates in general to the field of security and, more particularly, to preventing data loss in a virtual environment.

BACKGROUND

The field of network security has become increasingly important in today's society. In particular, the ability to effectively protect computers, systems, and the data residing on such computers and systems presents a significant obstacle for component manufacturers, system designers, and network operators. This obstacle is made even more difficult due to continuously evolving security threats. Virtualization is a software technology that allows a complete operating system to run on an isolated virtual environment (typically referred to as a virtual machine), where a platform's physical characteristics and behaviors are reproduced. Virtualization can also provide for execution of a single application within a virtual machine. A virtual machine can represent an isolated, virtual environment (lying on top of a host operating system (OS) or running on bare hardware), equipped with virtual hardware (processor, memory, disks, network interfaces, etc.). Commonly, the virtual machine is managed by a virtualization product. A virtual machine monitor (VMM) is typically the virtualization software layer that manages hardware requests from a guest OS (e.g., simulating answers from real hardware). A hypervisor is typically computer software/hardware platform virtualization software that allows multiple operating systems to run on a host computer concurrently. Applications represent a unique challenge in virtual environments because they can easily be manipulated in order to infect a given computer system. Security professionals and network administrators should account for these issues in order to protect computers and systems from emerging security threats.

BRIEF DESCRIPTION OF THE DRAWINGS

To provide a more complete understanding of the present disclosure and features and advantages thereof, reference is made to the following description, taken in conjunction with the accompanying figures, wherein like reference numerals represent like parts, in which:

FIG. 1 is a simplified block diagram of a system for preventing data loss using virtual machine wrapped applications in accordance with one embodiment;

FIG. 2 is a simplified block diagram of an example embodiment of a system for preventing data loss using virtual machine wrapped applications;

FIG. 3 is a simplified flowchart illustrating a series of example steps associated with the system in accordance with one embodiment; and

FIG. 4 is a simplified flowchart illustrating a series of example steps associated with the system in accordance with another embodiment.

DETAILED DESCRIPTION OF EXAMPLE EMBODIMENTS Overview

A method in one example implementation includes selecting at least one criterion for controlling data transmission from within a virtual machine. At least one application is included within the virtual machine and the virtual machine includes a policy module. The selected criterion corresponds to at least one policy associated with the policy module. The method also includes evaluating the selected criterion of the policy to permit an attempt to transmit the data from within the virtual machine. In more specific embodiments, the policy includes a plurality of selected criteria, including a first selected criterion that permits transmission of the data to a first other application and a second selected criterion that prohibits transmission of the data to a second other application. In other more specific embodiments, the selected criterion permits transmission of the data to a client device of one of a plurality of users if the client device is requesting access to the application from within a secured network environment. In another more specific embodiment, the method includes updating the policy module through an administration module to modify the selected criterion.

Example Embodiments

FIG. 1 is a simplified block diagram of a system 10 for protecting data from accidental and deliberate leakage in a virtual environment using virtual machine wrapped applications. System 10 may include a plurality of virtual machines 12, 14, 24, and 26, and an operating system 30. System 10 may also include a virtual machine monitor 16 that includes a memory element 18, a policy administration module 20, and a processor 22. Memory element 18 may contain a master image 38 with stored entries corresponding to the most current versions of software used within system 10. Each of virtual machines 12, 14, 24, and 26 includes an associated firewall policy module 34 a, 34 b, 34 c, and 34 d, respectively. Not shown in FIG. 1 is additional hardware that may be suitably coupled to operating system 30 and virtual machine monitor 16 (e.g., provided below their logical representations) in the form of memory management units (MMU), symmetric multiprocessing (SMP) elements, physical memory, Ethernet, small computer system interface (SCSI)/integrated drive electronics (IDE) elements, etc.

In example embodiments, system 10 wraps each application or suite of applications within a virtual machine in order to protect data associated with the application from accidental and deliberate leakage. For purposes of illustrating the techniques of system 10, it is important to understand the activities occurring within a given network. The following foundational information may be viewed as a basis from which the present disclosure may be properly explained. Such information is offered earnestly for purposes of explanation only and, accordingly, should not be construed in any way to limit the broad scope of the present disclosure and its potential applications.

Typical network environments including, among others, local area networks (LANs), wide area networks (WANs), Campus Area Networks (CANS), intranets, and extranets are used by businesses, schools, and other organizations to link multiple personal computers or client devices together, along with servers that allow the client devices to access shared data and applications related to the function of the organization. In addition, these networks are often configured to provide internet connections from client devices in the network to the Internet, enabling access to the World Wide Web and possibly other networks. The data maintained by the organizations typically includes varying types and degrees of confidential data, where data such as payroll records and legal documents often requires a high degree of protection, whereas data such as customer sales may require a lesser degree of protection. Network administrators typically configure their networks to allow particular persons (or groups of persons) access to specific applications, depending upon the type and degree of confidential data associated with the applications. For example, persons working within a human resources department would possibly have access to data and applications associated with the human resources department, but not have access to data and applications associated with the legal department. This type of security is typically applied at the operating system level.

Security at the operating system level alone is flawed because it relies on individuals properly controlling the data and applications to avoid accidental and deliberate misuse of confidential data. When multiple applications are running on an operating system, it is possible to share data between them using the operating system clipboard, a file system, and the like (e.g., using copy and paste functions, save, move, send to, import and export type functions, etc.). Thus, an authorized user accessing legal department data could mistakenly (or deliberately) share a confidential legal file or data with another user who is not authorized to access such information. This could be accomplished, for example, by using copy and paste functions between the legal application and another application to store the confidential data in an unprotected memory space to which unauthorized users in the organization have access. In another example, a user could email a message from the legal application containing confidential data that was copied into the message, or included as an attachment, to an unauthorized user. In addition, temporary files may also be at risk for leaking confidential data as they are normally available within the operating system. If an application terminates before all temporary files are deleted, then those remaining temporary files could be accessed by a savvy user, or by malicious third party software. Temporary files could contain confidential data from an application being run by an authorized user, or other information that was downloaded, such as, for example, details of a user's bank account. Such temporary files are at risk of exposure because they are often not protected.

Data leakage problems can also occur when authorized users access their organization's network from an unsecured or less secure environment. For example, users often take their laptops home or otherwise outside the corporate environment and remotely logon to their organization's network. Such networks typically have a firewall, which is a device or set of devices configured to control computer traffic sent to/from the network. Firewalls are usually designed to block unauthorized access, while permitting authorized communications based upon a set of rules and other criteria. Even with appropriate firewall protections, data leakage can occur, for example, if an authorized user accesses the network from a less secure (remote) location and begins retrieving confidential data. The confidential data may travel from the firewall-protected network to the user's computer through various communication paths and networking devices such as telephone lines, cable modems, fiber optic cables, satellites, microwaves, routers, gateways, switches, etc. Furthermore, the user's computer may no longer be protected by a firewall when it is remotely accessing the organization's network, thereby exposing the user's computer to various forms of malware, which could put the confidential data at risk.

A system for preventing data loss as outlined by FIG. 1 can resolve many of these issues. In accordance with one example implementation, an application is provided to encapsulate or wrap each application or suite of applications used in a network within a virtual machine. Access to and from each virtual machine can be controlled by an associated firewall (i.e., security) policy, or any other suitable security safeguard. Confidential data, as potentially defined by the associated firewall policy, may be contained within the virtual machine wrapped application such that copy and paste buffers and temporary files would not be accessible through the main operating system underlying the virtual machine. In addition, the virtual machine wrap provides an additional layer of security on top of the operating system, which could prevent direct access to the memory where the confidential data is stored. The associated firewall policy may be evaluated to determine whether the virtual machine wrapped application is allowed to share data (e.g., using copy and paste buffers, save, move, send to, and import/export type functions, email, etc.). For example, a first virtual machine wrapped application may be allowed to share confidential data with a second virtual machine wrapped application, but not with a third virtual machine wrapped application and not with a fourth application, which may not have a virtual machine wrap. Thus, system 10 can provide focused, specific security around each application or suite of applications to control access by users and other virtual machines. Such a system could allow for any application running on the main operating system or running on an operating system of a specific device, such as an end user's client device, to be wrapped within a virtual machine. Also, system 10 could automatically generate and maintain, or a network administrator could configure and maintain, master image 38 representing particular versions (e.g., the most current version) of software, so that each virtual machine wrapped application could be updated as needed.

Generally, virtual machines can be implemented to run complete operating systems and their associated applications (system virtual machines), or to run a single application or suite of applications (process virtual machines). Virtual machines can be implemented as Type 1, running below the host operating system directly on the hardware or as Type 2, running on top of a host operating system. Both system and process virtual machines can have some type of virtualization software that manages virtual machines and any guest operating systems. As used herein in this Specification, the term ‘virtual machine monitor’ is meant to include hypervisors, or other software or objects that can operate to manage one or more virtual machines and allow desired policy administration as detailed below.

Note that in computing, an executable (file) can cause a computer to perform indicated tasks according to encoded instructions, as opposed to a file that only contains data. Files that contain instructions for an interpreter or virtual machine may be considered ‘executables’ or ‘binaries’ in contrast to program source code. The more generic term ‘object’ (as used herein in this Specification) is meant to include any such executables, binaries, kernel modules, etc., which are sought to be invoked, initiated, or otherwise executed.

Turning to the infrastructure of FIG. 1, virtual machine monitor 16 can be implemented to manage multiple applications that are each wrapped separately by a virtual machine 12, 14, 24, and 26. In one example implementation, virtual machine monitor 16 can be thought of as virtualization software running on top of main operating system 30, with the plurality of virtual machines 12, 14, 24, and 26 also running on top of existing operating system 30. Based on the particular environment or according to specific user needs, however, virtual machine monitor 16 could be implemented as a hypervisor to run on bare hardware with each virtual machine 12, 14, 24, and 26 running its own operating system. Virtual machine monitor 16 can be part of a server, a firewall, or more generically, a computer. In addition, it is within the broad teachings of this disclosure that virtual machine monitor 16, including policy administration module 20 and master image 38, may be located in a central base of the network (e.g., IT headquarters), for direct access by a network administrator to configure and maintain the system. In one example embodiment shown in FIG. 1, there is a human resources application 28 wrapped in virtual machine 12, a customer sales application 32 wrapped in virtual machine 14, an application suite 40 having multiple applications wrapped in virtual machine 24, and an Adobe® application 44 wrapped in virtual machine 26. Application suite 40 may include, for example, bundled software applications such as Microsoft® Word, Excel®, and PowerPoint®.

In this example embodiment, a user with appropriate authority such as a network administrator is provided with an interface to manage the complete setup of virtual machines 12, 14, 24, and 26 and associated firewall policy modules 34 a, 34 b, 34 c, and 34 d. This management can include configurations of the virtual machine monitor and the virtual machines, creation, deletion, modification, shutdown, updating, and startup of the virtual machines, etc. The interface may allow the network administrator to initially configure and maintain master image 38 comprising entries that correspond to particular versions of the applications within the network. Alternatively, system 10 may automatically generate and update master image 38. Through policy administration module 20, the network administrator can select desired specific criteria for the policies to be applied to each virtual machine 12, 14, 24, and 26, through respective firewall policy modules 34 a, 34 b, 34 c, and 34 d. The policies can be tailored to meet particular desired security for data depending upon, for example, the confidentiality of the data accessible through the virtual machine wrapped application, the particular users seeking access to the data, particular job titles, particular department types, particular timestamps of information, particular locations in which a request for data access originates, particular days and times of days a request for data access originates, specifically configured permissions, etc. Once virtual machines 12, 14, 24, and 26 are configured with associated firewall policy modules 34 a, 34 b, 34 c, and 34 d, the virtual machines can be deployed to targeted computers, such as an end user's client device, a server, or any other device configured to host the virtual machine wrapped applications, which can be made accessible to authorized users. Policy administration module 20 is also configured to allow the network administrator to maintain virtual machines 12, 14, 24, and 26 and to update or change the security policies on firewall policy modules 34 a, 34 b, 34 c, and 34 d, as needed.

A first level of security associated with system 10 can relate to authentication. Authentication determines whether a user is authorized to access the network and within the network, which particular applications or data the user is allowed to access. Although authentication is typically applied at the operating system level, at least a portion of the authentication process may also be applied through firewall policy modules 34 a, 34 b, 34 c, and 34 d. Once an authorized user is granted access to an application within virtual machine 12, 14, 24, or 26, the associated firewall policy module 34 a, 34 b, 34 c, or 34 d may restrict what the user can do within the application. In one example embodiment, a policy may be applied to firewall policy module 34 a for human resources virtual machine 12, preventing an authorized user from transmitting (e.g., copying, pasting, moving, sending, exporting, emailing, etc.) confidential data, such as employee salary data, from human resources virtual machine 12 to another application or user, such as, for example, application suite virtual machine 24. Alternatively, if the user has a higher approved level of authorization, then the policy may be tailored to allow data transmission with data tracking. In this situation, when the user is allowed to transmit confidential data from human resources application virtual machine 12 to another application or user, the transmitted confidential data may be recorded in a data log stored in a memory element. As used herein in this Specification, the terms ‘transmit’ and ‘transmission’ are meant to encompass any operations associated with copying, cutting, pasting, saving, moving, sending, importing, exporting, emailing, or otherwise manipulating data.

Another form of policy that may be used within firewall policy modules 34 a, 34 b, 34 c, and 34 d, includes policies related to the environment from which a user requests access to particular applications. For example, if a user requests access to human resources virtual machine 12 from a client device (e.g., a laptop, etc.) when the user is physically located within the network's secure environment, then firewall policy module 34 a can perform a check to determine if the user is within a secure environment and allow access accordingly. However, if the user is out of the office, such as on a commuter train, and is therefore outside of the network's secure environment, then because of the confidential nature of the information within human resources virtual machine 12, the policies of firewall policy module 34 a may be configured to prohibit the user from accessing the human resources application within virtual machine 12. Thus, the protocol can prevent the user from potentially leaking data when the user is in a less secure environment. The scope of this disclosure is intended to encompass any type or combination of firewall policies desired by a particular organization for controlling data leakage from one or more of its applications within its network. Such policies include, but are not limited to, policies restricting data movement between particular applications, policies restricting application access depending upon the user's environment, policies restricting application access depending upon the time of day or particular days access is requested, and policies restricting data movement from particular applications to particular individuals or groups of individuals.

Turning to FIG. 2, FIG. 2 is a simplified block diagram illustrating one implementation of a data loss prevention system 50 using virtual machine wrapped applications in accordance with the present disclosure. In this example implementation, a network of an organization, such as a corporation or other business entity, is provided with a machine 60 being logically connected to a central human resources system 52, a central intellectual property store 54, and a mail server 56, which can be part of the organization's network infrastructure. It should be noted that the term “machine” is interchangeable with the term “computer.” Machine 60 includes applications in a common operating environment 72 (e.g., an operating system). These applications include a mail client 64 connected to mail server 56 for sending and receiving email communications that are not associated or linked to data or applications secured within the virtual environment. Machine 60 also includes a virtual machine 66 for accessing central intellectual property store 54. Virtual machine 66 includes a firewall policy module 68 and a mail client 70 for sending and receiving emails from virtual machine 66. A secure mail proxy 58 connects mail client 70 in virtual machine 66 to mail server 56 on the network. Machine 60 may also be configured with a USB drive 62.

In the implementation shown in FIG. 2, machine 60 may be operated by a user who is the head of research of the organization. System 50 may require authentication that the user is authorized to use machine 60 to access various resources within the network. Such an authentication could be performed by the operating system, where a unique user ID and password are validated. Once the user is properly authenticated, he/she may be allowed to access certain resources within the organization. For example, as the head of research, the user may be allowed to access central intellectual property store 54, but not central human resources system 52, as exemplified by the dashed lines connecting machine 60 to central human resources system 52 in FIG. 2. In an alternate embodiment, the user may be allowed to access central human resources system 52 for particular confidential data only, such as data corresponding to employees in the Research Department who report to the user. Allowing or blocking access to a particular resource or application may be accomplished through the operating system using the authentication mechanism described above. However, it is within the broad teachings of this disclosure to configure the system to perform authentication for access to a particular virtual machine wrapped application within its associated firewall policy module. Specifically a policy may be applied to a firewall policy module having selected criteria that is evaluated to determine whether the user is allowed to access the specific virtual machine wrapped application. If authorized, the user may access central intellectual property store 54 through virtual machine 66. Firewall policy module 68 associated with virtual machine 66 may be configured with a policy having selected criteria to control data transmissions from central intellectual property store 54. For example, the selected criteria may allow the user to access confidential data within central intellectual property store 54, but not allow the data to be copied and pasted, moved, exported, emailed or otherwise transmitted to another application. In the alternate embodiment described above, in which the user is given limited access to central human resources system 52, the selected criteria in the policy of associated firewall policy module 68 could only allow confidential data related to particular employees to be accessed by the user. The selected criteria may or may not allow the user to transmit the accessible data to other applications. As previously noted herein, it is within the broad teachings of this disclosure that the selected criteria can be configured to allow data transmission to certain applications and to prohibit data transmission to other applications.

In the particular example implementation shown in FIG. 2, the user is allowed access to email from within virtual machine 66. In this situation, any email being sent from virtual machine 66 is transmitted to secure mail proxy 58, before being sent to mail server 56. In secure mail proxy 58, the email may be screened for any confidential data protected by that particular application. Thus, the selected criteria of firewall policy module 68 would be applied to the content, attachments, and routing of the email. It is also within the broad teaching of this disclosure that a log be kept for recording entries corresponding to data that is allowed to be sent from secure mail proxy 58, thus allowing the organization to track particular data that is shared between applications and users in the organization. Finally, USB drive 62 is accessible to common operating environment 72 of machine 60, where firewall policy module 68 may include a policy with selected criteria that prevents virtual machine 66 from communicating with the USB port. This prevents users from copying protected data to a flash drive on USB drive 62, and it also protects the virtual machine wrapped application from communicating with any software application introduced to machine 60 through USB drive 62. This virtualization of individual applications with an associated firewall policy module is particularly useful for protecting data from infected software introduced to machine 60 through USB drive 62. The user of virtual machine 66 could, therefore, be limited to specific tasks within the virtual machine wrapped application in order to reduce the ability of obfuscating, or compromising confidential data.

Turning to FIG. 3, FIG. 3 is a simplified flowchart 100 illustrating a number of example steps associated with one implementation of a data loss prevention system. The flow may begin at step 110, where a request to access restricted data is received. At step 120, the query is answered as to whether the request to access restricted data is allowed. If the request to access restricted data is not authorized, then the flow moves to step 122 where the request is denied. If the request to access restricted data is authorized, the flow moves to step 124 where a query is made as to whether the central base is available for a master image check. If the central base is not available, the flow moves to step 126 where access will depend on the criteria of the policy, where the criteria was previously selected by the network administrator. For example, if the data is highly confidential, then the selected criteria might require the virtual machine to be disabled from operation until the central base is available for a master image check. However, if the data has a lesser degree of confidentiality, then the selected criteria may allow access to the virtual machine even without the central base checking the master image. If the central base is available for a master image check in step 124, the flow moves to step 130 where a query is made as to whether the client has an approved (i.e., a current version) virtual machine. This check is performed by searching the master image 38 to determine if the software is current, including, but not limited to, the application, the virtual machine, and the firewall policy module. If the client does not have an approved virtual machine, the flow passes to step 140 where the virtual machine is downloaded or updated to contain the correct software and the flow passes back to the query in step 130. If the client does have an approved virtual machine as queried in step 130, the flow passes to step 150 to allow access to the virtual machine. In the situation where the central base is not available for a master image check at step 124 but the selected criteria nevertheless allows access to the restricted data, then the next time the central base is available for a master image check during a request to access restricted data, the virtual machine wrapped application will be updated at step 140 if it is not current. In accordance with the teachings in this disclosure, as detailed above, the user's ability to transmit data may be restricted within the virtual machine depending upon the selected criteria in the policies of the particular firewall policy module associated with the virtual machine.

Software for configuring and maintaining the virtual machine wrapped applications and associated firewall policy modules can be provided at various locations (e.g., the central base or IT headquarters). In other embodiments, this software could be received or downloaded from a web server (e.g., in the context of purchasing individual end-user licenses for separate networks, devices, virtual machines, servers, etc.) in order to provide this system for preventing data loss using virtual machine wrapped applications. Software for controlling data transmission from within virtual machine wrapped applications in a network can also be provided at various locations (e.g., within firewall policy modules 34 a, 34 b, 34 c, and 34 d) once the virtual machine wrapped applications and associated firewall policy modules have been initially configured. In one example implementation, this software is resident in a computer sought to be protected from a security attack (or protected from unwanted, or unauthorized manipulations of data). In a more detailed configuration, this software is specifically resident in a security layer of a virtual machine and provides an interface between the virtual machine and the underlying operating system and between the virtual machine and other virtual machines within the system, which also may include (or otherwise interface with) the components depicted by FIG. 1.

In other examples, the data loss prevention software could involve a proprietary element (e.g., as part of a network security authentication solution), which could be provided in (or be proximate to) these identified elements, or be provided in any other device, server, network appliance, console, firewall, switch, information technology (IT) device, etc., or be provided as a complementary solution (e.g., in conjunction with a firewall), or provisioned somewhere in the network. As used herein in this Specification, the term ‘computer’ is meant to encompass these possible elements (VMMs, hypervisors, Xen devices, virtual machines or other devices, network appliances, routers, switches, gateways, processors, servers, loadbalancers, firewalls, or any other suitable device, machine, component, element, or object) operable to affect or process electronic information in a security environment. Moreover, this computer may include any suitable hardware, software, components, modules, interfaces, or objects that facilitate the operations thereof. This may be inclusive of appropriate algorithms and communication protocols that allow for the effective protection of data. In addition, the data loss prevention system can be consolidated in any suitable manner. Along similar design alternatives, any of the illustrated modules and components of FIGS. 1 and 2 may be combined in various possible configurations, all of which are clearly within the broad scope of this Specification.

In certain example implementations, the data loss prevention system outlined herein may be implemented by logic encoded in one or more tangible media (e.g., embedded logic provided in an application specific integrated circuit (ASIC), digital signal processor (DSP) instructions, software (potentially inclusive of object code and source code) to be executed by a processor, or other similar machine, etc.). In some of these instances, a memory element (as shown in FIG. 1) can store data used for the operations described herein. This includes the memory element being able to store software, logic, code, or processor instructions that are executed to carry out the activities described in this Specification. A processor can execute any type of instructions associated with the data to achieve the operations detailed herein in this Specification. In one example, the processor (as shown in FIG. 1) could transform an element or an article (e.g., data) from one state or thing to another state or thing. In another example, the activities outlined herein may be implemented with fixed logic or programmable logic (e.g., software/computer instructions executed by a processor) and the elements identified herein could be some type of a programmable processor, programmable digital logic (e.g., a field programmable gate array (FPGA), an erasable programmable read only memory (EPROM), an electrically erasable programmable read only memory (EEPROM)) or an ASIC that includes digital logic, software, code, electronic instructions, or any suitable combination thereof.

Any of these elements (e.g., a computer, a server, a network appliance, a firewall, a virtual machine monitor, any other type of virtual element, etc.) can include memory elements for storing information to be used in achieving the data loss prevention system operations as outlined herein. Additionally, each of these devices may include a processor that can execute software or an algorithm to perform the data loss prevention activities as discussed in this Specification. These devices may further keep information in any suitable memory element (random access memory (RAM), ROM, EPROM, EEPROM, ASIC, etc.), software, hardware, or in any other suitable component, device, element, or object where appropriate and based on particular needs. Any of the memory items discussed herein (e.g., data log, master image, etc.) should be construed as being encompassed within the broad term ‘memory element.’ Similarly, any of the potential processing elements, modules, and machines described in this Specification should be construed as being encompassed within the broad term ‘processor.’ Each of the computers, network appliances, virtual elements, etc. can also include suitable interfaces for receiving, transmitting, and/or otherwise communicating data or information in a secure environment.

FIG. 4 is a simplified flowchart 200 illustrating a number of example steps associated with another implementation of a data loss prevention system in which the application is a browser. In this particular example, an online institution asks users seeking access to the online institution to use the browser wrapped by a virtual machine. The flow may begin at step 210, where a user contacts an online institution, such as, for example, an online bank. In step 220, a query is made as to whether the user is using a virtual machine browser. If a virtual machine browser is being used, the flow passes to step 240. However, if it is determined that the user is not using a virtual machine browser, the flow passes to step 230 where a virtual machine browser is downloaded to the user, and flow then passes to 240. In step 240 a query is made to determine whether the virtual machine browser is current. If it is current, the flow passes to step 260. However, if the virtual machine browser is not current, then flow passes to step 250 where the virtual machine browser is updated or downloaded with the most current components. Flow then passes to step 260. In step 260, self-integrity checks are performed and if the user does not pass, then the session ends. However, if the user passes the self-integrity checks in step 260, the flow passes to step 270 and the user is allowed to connect to the online bank through the updated virtual machine wrapped browser.

Note that with the examples provided herein, interaction may be described in terms of two, three, four, or more network elements. However, this has been done for purposes of clarity and example only. In certain cases, it may be easier to describe one or more of the functionalities of a given set of flows by only referencing a limited number of components or network elements. It should be appreciated that the systems of FIGS. 1 and 2 (and their teachings) are readily scalable. System 10 can accommodate a large number of components, as well as more complicated or sophisticated arrangements and configurations. Accordingly, the examples provided should not limit the scope or inhibit the broad teachings of system 10 as potentially applied to a myriad of other architectures.

It is also important to note that the steps described with reference to the preceding FIGURES illustrate only some of the possible scenarios that may be executed by, or within, system 10. Some of these steps may be deleted or removed where appropriate, or these steps may be modified or changed considerably without departing from the scope of the discussed concepts. In addition, the timing of these operations may be altered considerably and still achieve the results taught in this disclosure. The preceding operational flows have been offered for purposes of example and discussion. Substantial flexibility is provided by system 10 in that any suitable arrangements, chronologies, configurations, and timing mechanisms may be provided without departing from the teachings of the discussed concepts. 

1-20. (canceled)
 21. A method implemented by a system including an operating system and a virtual machine monitor, the method comprising: downloading a browser wrapped in a virtual machine, based on a determination that the browser is not being used in an access to an institution; updating the browser if the browser is determined to not be current; and allowing a connection to the institution through the browser, the system including the browser, the operating system underlying the virtual machine.
 22. The method of claim 21, further comprising: determining whether the browser is allowed to share data, based on an evaluation of a firewall policy.
 23. The method of claim 22, wherein the browser shares the data using a copy buffer or a paste buffer, and the operating system cannot access the copy buffer or the paste buffer.
 24. The method of claim 21, further comprising: evaluating a criterion of a policy to determine whether to permit access to the virtual machine, based on a determination that a master image is not available, the master image corresponding to a version of the browser or a version of the virtual machine.
 25. The method of claim 21, further comprising: comparing the browser to a master image, the master image corresponding to a version of the browser or a version of the virtual machine.
 26. The method of claim 21, further comprising: performing a self-integrity check, wherein the allowing is performed if the self-integrity check passes.
 27. A system, comprising: a memory element that stores instructions; and a processor configured to execute a browser wrapped in a virtual machine, an operating system underlying the virtual machine, wherein the browser is downloaded based on a determination that the browser is not being used in an access to an institution, the browser is updated if the browser is determined to not be current, and a connection to the institution is allowed through the browser.
 28. The system of claim 27, wherein the browser shares data, based on an evaluation of a firewall policy.
 29. The system of claim 28, wherein the browser shares the data using a copy buffer or a paste buffer, and the operating system cannot access the copy buffer or the paste buffer.
 30. The system of claim 27, wherein a criterion of a policy is evaluated to determine whether to permit access to the virtual machine, based on a determination that a master image is not available, the master image corresponding to a version of the browser or a version of the virtual machine.
 31. The system of claim 27, wherein the browser is compared to a master image, the master image corresponding to a version of the browser or a version of the virtual machine.
 32. The system of claim 27, wherein a self-integrity check is performed, and the connection is allowed if the self-integrity check passes.
 33. The system of claim 27, wherein a policy prohibits accessing the virtual machine if a client device requests access to the virtual machine from an unsecured network environment.
 34. A non-transitory computer readable storage medium, comprising: instructions to download a browser wrapped in a virtual machine, based on a determination that the browser is not being used in an access to an institution, an operating system underlying the virtual machine; instructions to update the browser if the browser is determined to not be current; and instructions to allow a connection to the institution through the browser.
 35. The medium of claim 34, further comprising: instructions to determine whether the browser is allowed to share data, based on an evaluation of a firewall policy.
 36. The medium of claim 35, wherein the browser shares the data using a copy buffer or a paste buffer, and the operating system cannot access the copy buffer or the paste buffer.
 37. The medium of claim 34, further comprising: instructions to evaluate a criterion of a policy to determine whether to permit access to the virtual machine, based on a determination that a master image is not available, the master image corresponding to a version of the browser or a version of the virtual machine.
 38. The medium of claim 34, further comprising: instructions to compare the browser to a master image, the master image corresponding to a version of the browser or a version of the virtual machine.
 39. The medium of claim 34, further comprising: instructions to perform a self-integrity check, wherein the connection is allowed if the self-integrity check passes.
 40. The medium of claim 34, wherein a policy prohibits accessing the virtual machine if a client device requests access to the virtual machine from an unsecured network environment. 